Skip to content

Instantly share code, notes, and snippets.

@darranl
Last active February 11, 2021 16:43
Show Gist options
  • Save darranl/e485fa0e787b72554931908b450b482d to your computer and use it in GitHub Desktop.
Save darranl/e485fa0e787b72554931908b450b482d to your computer and use it in GitHub Desktop.
Example Commands Encrypting Clear Text Using a SecretKey from the CredentialStore
# Create KeyStoreCredentialStore
java -jar tool/target/wildfly-elytron-tool-1.14.2.CR1-SNAPSHOT.jar credential-store --create --location /home/darranl/tmp/keystorecs.cs
java -jar tool/target/wildfly-elytron-tool-1.14.2.CR1-SNAPSHOT.jar credential-store --location /home/darranl/tmp/keystorecs.cs --generate-secret-key test
# Create PropertiesCredentialStore
java -jar tool/target/wildfly-elytron-tool-1.14.2.CR1-SNAPSHOT.jar credential-store --create --type PropertiesCredentialStore --location /home/darranl/tmp/propertiescs.cs
java -jar tool/target/wildfly-elytron-tool-1.14.2.CR1-SNAPSHOT.jar credential-store --type PropertiesCredentialStore --location /home/darranl/tmp/propertiescs.cs --generate-secret-key test
# Encrypt Clear Text (ARG)
# Encrypt Clear Text (Prompted)
$ java -jar tool/target/wildfly-elytron-tool-1.14.2.CR1-SNAPSHOT.jar
Printing general help message:
usage: java -jar wildfly-elytron-tool.jar credential-store [-a <alias> | -e <alias> | --export-secret-key <alias> | -g <alias> | --generate-secret-key <alias> | -ikp <alias> | --import-secret-key <alias> | -r <alias> | -v | -xp <alias>] [-c] [-d] [-f] [-h] [-i <arg>] [-j <arg>] [-k <arg>] [--key <key>] [-kp <arg>] [-l <loc>] [-n <type>] [-o <providers>] [-p <pwd>] [-pbk <arg> | -pbl <arg>] [-pvk <arg> | -pvl <arg>] [-q <cs-provider>] [-s <arg>] [--size <size>] [-t <type>] [-u <arg>] [-x <secret to store>]
"credential-store" command is used to perform various operations on credential store.
Some of the parameters below are mutually exclusive actions which are marked with (Action) in the description.
-a,--add <alias> Add new alias to the credential store (Action)
-c,--create Create credential store (Action)
-d,--debug Print stack trace when error occurs.
-e,--exists <alias> Check if alias exists within the credential store (Action)
--export-secret-key <alias> Export existing SecretKey stored in the credential store.
-f,--summary Print summary, especially command how to create this credential store
-g,--generate-key-pair <alias> Generate private and public key pair and store them as a KeyPairCredential
--generate-secret-key <alias> Generate a new SecretKey and store it in the credential store.
-h,--help Get help with usage of this command (Action)
-i,--iteration <arg> Iteration count for final masked password of the credential store
-ikp,--import-key-pair <alias> Import a KeyPairCredential into the credential store.
--import-secret-key <alias> Import an existing encoded SecretKey to the credential store.
-j,--size <arg> Size (number of bytes) of the keys when generating a KeyPairCredential.
-k,--algorithm <arg> Encryption algorithm to be used when generating a KeyPairCredential: RSA, DSA, or EC. Default RSA
--key <key> The encoded Key to import.
-kp,--key-passphrase <arg> The passphrase used to decrypt the private key.
-l,--location <loc> Location of credential store storage file
-n,--entry-type <type> Type of entry in credential store
-o,--other-providers <providers> Comma separated list of JCA provider names. Providers will be supplied to the credential store instance.
Each provider must be installed through java.security file or through service loader from properly packaged jar file on classpath.
-p,--password <pwd> Password for credential store
-pbk,--public-key-string <arg> A public key specified as a String.
-pbl,--public-key-location <arg> The location of a file containing a public key.
-pvk,--private-key-string <arg> A private key specified as a String.
-pvl,--private-key-location <arg> The location of a file containing a private key.
-q,--credential-store-provider <cs-provider> Provider name containing CredentialStoreSpi implementation.
Provider must be installed through java.security file or through service loader from properly packaged jar file on classpath.
-r,--remove <alias> Remove alias from the credential store (Action)
-s,--salt <arg> Salt to apply for final masked password of the credential store
--size <size> Key size (bits).
-t,--type <type> Credential store type
-u,--properties <arg> Implementation properties for credential store type in form of "prop1=value1; ... ;propN=valueN" .
Supported properties are dependent on credential store type
KeyStoreCredentialStore (default implementation) supports following additional properties (all are optional):
keyStoreType - specifies the key store type to use (defaults to "JCEKS")
keyAlias - specifies the secret key alias within the key store to use for encrypt/decrypt of data in external storage (defaults to "cs_key")
external - specifies whether to store data to external storage and encrypted by keyAlias key (defaults to "false")
cryptoAlg - cryptographic algorithm name to be used to encrypt/decrypt entries at external storage "external" has to be set to "true"
-v,--aliases Display all aliases (Action)
-x,--secret <secret to store> Password credential value
-xp,--export-key-pair-public-key <alias> Prints the public key stored under a KeyPairCredential as Base64 encoded String, in OpenSSH format.
usage: java -jar wildfly-elytron-tool.jar vault [-b <description file>] [-d] [-e <dir>] [-f] [-h] [-i <arg>] [-k <keystore>] [-l <loc>] [-o <providers>] [-p <pwd>] [-q <cs-provider>] [-s <salt>] [-t <type>] [-u <arg>] [-v <arg>]
"vault" command is used convert PicketBox Security Vault to credential store using default implementation (KeyStoreCredentialStore) or custom implementation set with the "type" option.
Some of the parameters below are mutually exclusive actions which are marked with (Action) in the description.
-b,--bulk-convert <description file> Bulk conversion with options listed in description file. All options have no default value and should be set in the file. (Action)
All options are required with the exceptions:
- "properties" option
- "type" option (defaults to "KeyStoreCredentialStore")
- "credential-store-provider" option
- "other-providers" option
- "salt" and "iteration" options can be omitted when plain-text password is used
Each set of options must start with the "keystore" option in the following format:
keystore:<value>
keystore-password:<value>
enc-dir:<value>
salt:<value>
iteration:<value>
location:<value>
alias:<value>
properties:<parameter1>=<value1>; ... ;<parameterN>=<valueN>
type:<value>
credential-store-provider:<value>
other-providers:<value>
-d,--debug Print stack trace when error occurs.
-e,--enc-dir <dir> Vault directory containing encrypted files (defaults to "vault")
-f,--summary Print summary of conversion
-h,--help Get help with usage of this command (Action)
-i,--iteration <arg> Iteration count (defaults to "23")
-k,--keystore <keystore> Vault keystore URL (defaults to "vault.keystore")
-l,--location <loc> Location of credential store storage file (defaults to "converted-vault.cr-store" in vault encryption directory)
-o,--other-providers <providers> Comma separated list of JCA provider names. Providers will be supplied to the credential store instance.
Each provider must be installed through java.security file or through service loader from properly packaged jar file on classpath.
-p,--keystore-password <pwd> Vault keystore password:
- used to open original vault key store
- used as password for new converted credential store
-q,--credential-store-provider <cs-provider> Provider name containing CredentialStoreSpi implementation.
Provider must be installed through java.security file or through service loader from properly packaged jar file on classpath.
-s,--salt <salt> 8 character salt (defaults to "12345678")
-t,--type <type> Converted credential store type (defaults to "KeyStoreCredentialStore")
-u,--properties <arg> Configuration parameters for credential store in form of: "parameter1=value1; ... ;parameterN=valueN"
Supported parameters are dependent on credential store type
Generally supported parameters for default credential store implementation (all are optional):
create - automatically creates credential store file (true/false)
modifiable - is the credential modifiable (true/false)
location - file location of credential store
keyStoreType - specify the key store type to use
-v,--alias <arg> Vault master key alias within key store (defaults to "vault")
usage: java -jar wildfly-elytron-tool.jar filesystem-realm [-b <name>] [--debug] [-f <name>] [--help] [-o <directory>] [-r <file>] [-s <name>] [--silent] [--summary] [-u <file>]
'FileSystemRealm' command is used to convert legacy properties files and scripts to an Elytron FileSystemRealm.
Some of the parameters below are mutually exclusive actions which are marked with (Action) in the description.
-b,--bulk-convert <name> Bulk conversion with options listed in description file. Optional options have default values, required options do not. (Action)
The options fileSystemRealmName and securityDomainName are optional.
These optional options have default values of: converted-properties-filesystem-realm and converted-properties-security-domain.
Values are required for the following options: users-file, roles-file, and output-location.
If one or more these required values are not set, the corresponding block is skipped.
Each option must be specified in the following format: <option>:<value>. The order of options does not matter.
Blocks of options must be separated by a blank line.
--debug Print stack trace when error occurs.
-f,--filesystem-realm-name <name> Name of the filesystem-realm to be configured.
--help Get help with usage of this command (Action)
-o,--output-location <directory> The relative or absolute path to the output directory.
-r,--roles-file <file> The relative or absolute path to the roles file.
-s,--security-domain-name <name> Name of the security-domain to be configured.
--silent Suppresses all output except errors and prompts.
--summary Provides a detailed summary of all operations performed, once the command finishes.
-u,--users-file <file> The relative or absolute path to the users file.
usage: java -jar wildfly-elytron-tool.jar mask [-d] [-h] [-i <arg>] [-s <arg>] [-x <to encrypt>]
"mask" command is used to get MASK- string encrypted using PBEWithMD5AndDES in PicketBox compatible way.
Some of the parameters below are mutually exclusive actions which are marked with (Action) in the description.
-d,--debug Print stack trace when error occurs.
-h,--help Get help with usage of this command (Action)
-i,--iteration <arg> Iteration count for masked string
-s,--salt <arg> Salt to apply to masked string
-x,--secret <to encrypt> Secret to be encrypted
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment